Post to Twitter |
Comments (12) |
Views (48911) |
Hello, this is my first post in this community, so let me start with a brief introduction: my name is Juliano Maldaner, a product architect on the Presentation Server team. One of the areas I'm working on is the simplification of Presentation Server management experience for upcoming releases. We're introducing some exciting new concepts and would like to hear your feedback!
Managing a Presentation Server farm requires much more than configuring Presentation Server components: Operating System and Application settings are as important. A successful environment must maintain PS, Operating System, and Application settings correctly configured and consistent across all servers in the farm. Maintaining this consistency throughout the farm life cycle is one of the major challenges for PS Administrators.
The Windows platform provides an outstanding tool to address these configuration management challenges: Active Directory and Group Policy. An overwhelming majority of PS deployments use Group Policy in some capacity. Integrating PS settings into GPO is possible with MFCOM scripts, but far from ideal. Most use GPO for Windows and Application settings, and Citrix management consoles for PS configuration. Because all settings must be synchronized, we realized that the management experience would be greatly simplified if PS Session Policies and Server settings were within Group Policy Objects themselves!
Presentation Server settings/policies embedded into Group Policy Editor
The main benefit of this integration is the creation a single management template for platform, applications and Citrix configuration. All operations performed with Group Policy Management Console will include Presentation Server parameters as well. Resulting Set of Policy reports will show all Citrix and platform configuration - a great help for troubleshooting and planning. Backup, Restore, and Migration will allow saving and moving configurations from farm to farm, making replication of environments much easier than what it is today.
Another key benefit is the separation of PS settings and servers. Group Policy Objects are associated with Organization Units, and not with individual servers or users. Common management operations - adding capacity to a silo; repurposing a server; or replacing a broken server - are greatly simplified: simply change the server OU membership, and the settings associated with that silo will automatically apply to the server.
Application Publishing
The Group Policy integration will NOT require Active Directory schema changes. For this reason, PS objects such as Applications and Administrators will continue to be managed via Citrix management consoles. Application Publishing will be modified to allow association of Applications with Active Directory Server Groups and Organization Units. This way, apps will be automatically published as soon as the server is assigned to the correct Organizational Unit.
Policy Filters
Presentation Server Group Policy extension will improve GPO filtering capabilities to include all filters existing on CPS 4.5 session policies - including SmartAccess. These filters will only apply to the Citrix part of the GPO, platform configuration will apply regardless of the filter result.
The Citrix policies within GPOs will also allow filtering on a per-setting level - native Group Policy only allow filtering per-policy level. Some Presentation Server features require complex filtered settings, for example: proximity printing based on client IP address. This feature will allow the configuration of such policies within a single GPO.
What about environments without Group Policy?
There are some important scenarios where Group Policies cannot be used:
- Environments using other Directory services;
- Applications that require anonymous (local) accounts;
- Organizations that restrict or deny AD delegation to PS administrators.
To support these environments, IMA will provide a global Group Policy Object, applied to all servers in the farm. This farm-wide GPO replicates the existing Farm Default settings. Per-server override is possible by configuring the server's Local Group Policy Object.
Our goal is to maintain feature parity with PS 4.5 if Group Policy is not used. However, the Administrator's experience will be optimized for Active Directory and GPO scenarios.
Active Directory and Group Policy are fundamental for a successful Presentation Server environment. Group Policy integration will bring major improvements to management experience, leveraging existing IT infrastructure and knowledge. The feedback we've received so far has been very positive, please let us know what you think!
Comments (12)
Jan 25, 2008
Anonymous says:
Adding GPO support will definitely help with creating standardized, consistent e...Adding GPO support will definitely help with creating standardized, consistent environments for users. I do believe the more we can control with group policy the better. However, I di think the follwing statement may be misleading..."simply change the server OU membership, and the settings associated with that silo will automatically apply to the server."
Some settings may not apply until a group policy refresh is forced on the machine, the policy refresh interval is reached or a server reboot occurs. This may be more limiting than the current policy architecture in some circumstances.
Jan 25, 2008
Juliano Maldaner says:
You are correct, Presentation Server settings will indeed be subject to the GPO ...You are correct, Presentation Server settings will indeed be subject to the GPO refresh cycle. Session policies will apply for all sessions created after the policy change. Server settings will apply after a server reboot; after running "gpupdate" on the server; or after waiting for GPO refresh cycle - configurable, default is 90 minutes.
On the positive side, all OS, Applications, and Presentation Server settings will refresh at the same time, ensuring that no session is created with inconsistent settings.
Jan 29, 2008
Anonymous says:
Any sort of timeline for PS GPOs?Any sort of timeline for PS GPOs?
Jan 30, 2008
Anonymous says:
Adding GPO support is a great idea. It does allow finally to control some settin...Adding GPO support is a great idea. It does allow finally to control some settings from one console instead of 2 as we do now. Keep us informed of progress.
Jan 31, 2008
Anonymous says:
Hi, At first I would like to thank you for your kind effort and then requesting...Hi,
At first I would like to thank you for your kind effort and then requesting you to publish a document of all topics you had posted.
Feb 15, 2008
Marino Bolssens says:
Managing presentation server configurations with Group policies is a great benef...Managing presentation server configurations with Group policies is a great benefit. These days we have difficulties to keep servers servers configured identical. This is done via exports and imports from the respective registry entries. We would love to use GPO's for that. When can we expect this will released for 4.5?
Feb 15, 2008
Juliano Maldaner says:
The Group Policy integration is planned for the next major release of XenApp aft...The Group Policy integration is planned for the next major release of XenApp after project Delaware. Note that these modifications will not be available in a 4.5 HRP. They are too fundamental to be released as a hotfix.
Feb 18, 2008
Anonymous says:
Put session policy and server setting in GPM resulted extra management console f...Put session policy and server setting in GPM resulted extra management console for the admins, now they have three: AMC, CMC and GPM.
Plus the replication of group policy, expecially cross the active directory site will be problematic for citrix server, since session policy depends on these settings. And you can ask users to wait for 90 minutes or longer to launch the next session.
The integration of citrix settings with AD also make the trouble shooting more complex since it might involve more parties than just the citrix administrator.
We should always simplyfies the problem, not complicate it
Feb 19, 2008
Juliano Maldaner says:
These are valid concerns. Let me answer them one by topic: Management Consoles:...These are valid concerns. Let me answer them one by topic:
Management Consoles:
CMC will no longer exist by this timeframe, all of its functionality will move to GPMC (session policies, printers), or AMC (load evaluators, zones).
But you are right in pointing that administrators will have to know and use both GPMC and AMC. Our thought here is that Group Policy is almost mandatory for existing Presentation Server deployments, because of all Operating System configuration required for such environments - profile configuration, locked down settings, Terminal Server licensing, etc. Group Policy Preferences, in Windows 2008 Server, will make GPO even more common for CPS deployments.
AMC will be redesigned as a MMC v3 snap-in (without Discovery!). AMC and GPMC can be loaded in a single MMC window. Under AMC, you will find the management nodes for Citrix objects - Applications, Zones, Administrators. Under GPMC, you will find server and user groups (OUs) and policies carrying all OS, Apps, and Presentation Server settings.
The separation of functions per snap-ins will follow administration tasks - i.e., you won't have to move back-and-forth from snap-in to snap-in to perform any common task.
Active Directory Refresh:
Group Policy is tailored for policies, and policies are mostly static. Any configuration that a) change frequently, or b) must be applied immediately, is not a policy but a management action. Citrix management actions - for example, disable logons in a server - will not be moved into Group Policies. This will minimize the concerns with AD replication and GPO refresh time.
The 90 minute refresh for Group Policies apply to servers and sessions that were started before the policy change. When a server reboots, or when a session is created, it will always capture the latest settings. Therefore, new sessions and rebooted servers will always be up-to-date with GPOs. Administrators can force servers and sessions to re-sychronize using "gpupdate". Note also that 90 minutes is just a default setting, Administrators control this parameter - although reducing it too much may overload the Domain Controllers.
Troubleshooting:
I assume your comment on troubleshooting is about remediation. Finding issues in CPS environment already requires multi-domain expertise and information. In fact, the integrated Resulting Set of Policies will help identification of issues. Edgesight is another key tool for finding what is wrong on the environment.
As for remediation, typical operations actions, such as shadow, logoff sessions, killing processes, disabling logons, will remain in Citrix management consoles, for the reasons stated above. Remediation should not require policy changes.
Active Directory Ownership:
Active Directory administration delegation should be the answer for environments where AD is controlled by a different team. However, we understand that some environments will not accept this delegation, and will force CPS administrators to follow rigorous - and time consuming - processes to introduce changes in existing policies.
Some argue that forcing CPS setting changes to go through the corporate change management process is actually desirable. CPS is, after all, part of the IT infrastructure, and other teams may have to review and approve before policies change.
That's the theory, but sometimes CPS admins will need a way out, and quick. The mechanism we've created for non-AD environments will serve as a safety net: the IMA global Group Policy Object. This GPO will bypass all Active Directory synchronization and ownership issues. Changes in this policy will apply immediately to all new sessions, regardless of AD replication configuration. Note that AD GPO may disable the IMA GPO, for security purposes.
Thanks for the post, getting these insights is the reason we decided to post our plans here. I hope this clarifies your questions. Let me know otherwise!
Mar 31, 2008
Anonymous says:
Hope this is a good place to post my comment about a feature in Xenapp. W...Hope this is a good place to post my comment about a feature in Xenapp.
What I was looking for is to have a way feature where I can change the idle timeout settings one for peak hours and one for off peak hours. This way i can lower my number of connections in my farm during peak hours by setting the idle timeout to say 15mins. But during off peak hours, I would like to set it to 1 hours, this way users who are connected will have more time to work on their work during non-business hours.
Sep 09
Anonymous says:
I'm definitely not sure about this GPO approach. We have a clean environment app...I'm definitely not sure about this GPO approach. We have a clean environment applying policies per GPO and the geographical position of a server inside AD. And we do have an other, real great and completely sepperated set of settings that don't depend on a server's geograühical position, but on other things (i.E. client name, IP addresses, smart access, ...). I don't like to get things mixed. I'm rather skeptic, it causes me pain in my belly thinking of upcoming "improvements"
Sep 09
Juliano Maldaner says:
The GPO integration is optional, you will be able to use the IMA policy object e...The GPO integration is optional, you will be able to use the IMA policy object exclusively, or mix IMA and GPO policies. The IMA policy will evaluate in the policy chain, above the computer Local GPO, and below the domain GPOs.
The IMA policy will have the exact same functionality as the existing CMC policy system. So if you can't or prefer to maintain policies in IMA exclusively, you will be able to.
The coolest part of this integration is that the IMA GPO is processed as part of domain policy management actions, such as Resulting Set of Policies reports. So even if you keep all of your policies in IMA, RSoP reports from GPMC will display XenApp and Microsoft settings in the same report. The same is true for AGPM features in MDOP (check-in/check-out; offline editing; rollback; change log).
Anonymous replies:
Add Comment